SANS: Know the Security Mission

Wednesday, March 22, 2017 @ 07:03 PM gHale

By Gregory Hale
Sometimes you can reach your goal by starting from nothing and cobbling together thoughts and ideas piece by piece by piece until it makes connections and the result is a final product.

There is no initial vision, but that comes together after working and living through the experience. Kind of a Monday morning quarterback thing.

Other times there is a vision from the top or someone that had an idea and simply says, here is a plan, let’s execute on it and it will help us move forward.

No matter how it comes together, the end result is the mission. When it comes to security, it is amazing how quickly professionals can get mired in the muck of everyday experiences and lose sight of what that mission truly is.

That big picture of every manufacturer is to keep systems up and running, producing product and safeguarding intellectual property and keeping everyone safe. Pretty simple, right?

Security today compared to five years ago – and maybe even a year if you talk to some industry experts – is night and day. Not quite where the industry should be, but further advanced than it was.

“For years we admired the problem. Today, it is not uncommon when you buy a controller there are more secure enhancements,” said Mike Assante, Industrial & Infrastructure Practice ICS/SCADA lead at the SANS Institute, during his keynote at the SANS ICS Security Summit in Orlando, FL, Monday. “Fundamentally, security is being designed into control elements. There are more areas where security has to catch up, but we are getting there. Over time, we saw a combination of skill sets. There is progress.”

The days of only adding security in to a proposal only if you are asked about it are long gone because end users are expecting it to be in the solution.

“More companies are putting it in the safety category,” Assante said.

But in this changing landscape, “it is not a question of progress, but can we keep pace. In a changing landscape, models are changing, we are dynamic. This the main event. More companies are moving toward digital technologies.”

What people used to say was the potential for attacks is now falling in line with real attacks on real critical infrastructure.

Use the most recent attack in the Ukraine as a case in point. In that attack, civilians lost power for just over an hour after a cyber attack against the utility.

“The stakes are growing with expanding attack surfaces,” Assante said. “We understand how exposed we are in the architectures. We have seen a shift in motivations and diversity of attacks. We have always known they were possible now we are seeing them demonstrated. We are seeing attacks that are damaging devices at the firmware level.”

With the Ukraine attacks used as a barometer, Assante said the security industry has to fall back and use the growth and stability of the safety movement as an aid.

“We have done incredible things with safety. We have dealt well with accidents, storms and errors. Now the biggest challenge is in the cyber domain. The complexity and the level of abstraction has been difficult to see. Complexity and abstraction of software is creating a challenge. I think we are up to the challenge.”

One person living that challenge every day is Sanford Rice, SCADA system developer at Atmos Energy Corporation, a gas pipeline company.

Rice, a control engineer by trade and a relative newcomer to security, talked about tips for those new to ICS security: “Don’t panic.”

He also laid out a few basic ideas for starting a security program:
• Start with basics
• Adopt a culture, treat security like safety
• Learn how to talk the talk

“Our mission is to provide information and keep it safe. Our system is designed to be static. Our system does not change, it is simple. We are on the low end of utilization and load.”

What is interesting is Atmos knows security is a big issue and they are not afraid to invest.

“We have implemented more changes in security than we have in operability and usability,” Rice said.

In terms of technology, Rice does not have to go out and reinvent the wheel all the time.

“COTS (commercial off the shelf) can help. We have been successful along the way and found people that can help. We have used IT solutions to make improvements.”